Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

Unit 42 reports a critical buffer-overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that allows unauthenticated root code execution; a likely state-sponsored cluster (CL-STA-1132) has exploited this flaw to inject shellcode, deploy tunneling tools (EarthWorm, ReverseSocks5), perform Active Directory enumeration using firewall credentials, and erase logs to cover tracks. The advisory includes IOCs (IP addresses, hashes, download URLs, user-agent strings, and file paths), recommended mitigations (restrict or disable the portal, enable Threat ID protections), and product-specific defenses for Palo Alto customers.